1. 04 3月, 2013 1 次提交
    • E
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman 提交于
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Reported-by: NKees Cook <keescook@google.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  2. 23 2月, 2013 1 次提交
  3. 13 12月, 2012 2 次提交
  4. 03 10月, 2012 1 次提交
  5. 02 10月, 2012 1 次提交
    • A
      ceph: let path portion of mount "device" be optional · c98f533c
      Alex Elder 提交于
      A recent change to /sbin/mountall causes any trailing '/' character
      in the "device" (or fs_spec) field in /etc/fstab to be stripped.  As
      a result, an entry for a ceph mount that intends to mount the root
      of the name space ends up with now path portion, and the ceph mount
      option processing code rejects this.
      
      That is, an entry in /etc/fstab like:
          cephserver:port:/ /mnt ceph defaults 0 0
      provides to the ceph code just "cephserver:port:" as the "device,"
      and that gets rejected.
      
      Although this is a bug in /sbin/mountall, we can have the ceph mount
      code support an empty/nonexistent path, interpreting it to mean the
      root of the name space.
      
      RFC 5952 offers recommendations for how to express IPv6 addresses,
      and recommends the usage found in RFC 3986 (which specifies the
      format for URI's) for representing both IPv4 and IPv6 addresses that
      include port numbers.  (See in particular the definition of
      "authority" found in the Appendix of RFC 3986.)
      
      According to those standards, no host specification will ever
      contain a '/' character.  As a result, it is sufficient to scan a
      provided "device" from an /etc/fstab entry for the first '/'
      character, and if it's found, treat that as the beginning of the
      path.  If no '/' character is present, we can treat the entire
      string as the monitor host specification(s), and assume the path
      to be the root of the name space.  We'll still require a ':' to
      separate the host portion from the (possibly empty) path portion.
      
      This means that we can more formally define how ceph will interpret
      the "device" it's provided when processing a mount request:
      
          "device" will look like:
              <server_spec>[,<server_spec>...]:[<path>]
          where
              <server_spec> is <ip>[:<port>]
              <path> is optional, but if present must begin with '/'
      
      This addresses http://tracker.newdream.net/issues/2919Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NDan Mick <dan.mick@inktank.com>
      c98f533c
  6. 31 7月, 2012 1 次提交
  7. 14 7月, 2012 1 次提交
  8. 22 3月, 2012 3 次提交
  9. 21 3月, 2012 1 次提交
  10. 13 1月, 2012 1 次提交
  11. 12 1月, 2012 1 次提交
    • A
      ceph: always initialize the dentry in open_root_dentry() · d46cfba5
      Alex Elder 提交于
      When open_root_dentry() gets a dentry via d_obtain_alias() it does
      not get initialized.  If the dentry obtained came from the cache,
      this is OK.  But if not, the result is an improperly initialized
      dentry.
      
      To fix this, call ceph_init_dentry() regardless of which path
      produced the dentry.  That function returns immediately for a dentry
      that is already initialized, it is safe to use either way.
      
      (Credit to Sage, who suggested this fix.)
      Signed-off-by: NAlex Elder <aelder@sgi.com>
      d46cfba5
  12. 10 1月, 2012 1 次提交
  13. 07 1月, 2012 1 次提交
  14. 03 12月, 2011 1 次提交
  15. 12 11月, 2011 1 次提交
    • S
      ceph: initialize root dentry · 774ac21d
      Sage Weil 提交于
      Set up d_fsdata on the root dentry.  This fixes a NULL pointer dereference
      in ceph_d_prune on umount.  It also means we can eventually strip out all
      of the conditional checks on d_fsdata because it is now set unconditionally
      (prior to setting up the d_ops).
      
      Fix the ceph_d_prune debug print while we're here.
      Signed-off-by: NSage Weil <sage@newdream.net>
      774ac21d
  16. 06 11月, 2011 1 次提交
  17. 26 10月, 2011 3 次提交
  18. 23 8月, 2011 1 次提交
  19. 27 7月, 2011 2 次提交
  20. 30 3月, 2011 1 次提交
  21. 22 3月, 2011 2 次提交
  22. 20 1月, 2011 1 次提交
  23. 13 1月, 2011 2 次提交
    • T
      ceph: fsc->*_wq's aren't used in memory reclaim path · 01e6acc4
      Tejun Heo 提交于
      fsc->*_wq's aren't depended upon during memory reclaim.  Convert to
      alloc_workqueue() w/o WQ_MEM_RECLAIM.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: Sage Weil <sage@newdream.net>
      Cc: ceph-devel@vger.kernel.org
      Signed-off-by: NSage Weil <sage@newdream.net>
      01e6acc4
    • S
      ceph: implement DIRLAYOUTHASH feature to get dir layout from MDS · 14303d20
      Sage Weil 提交于
      This implements the DIRLAYOUTHASH protocol feature, which passes the dir
      layout over the wire from the MDS.  This gives the client knowledge
      of the correct hash function to use for mapping dentries among dir
      fragments.
      
      Note that if this feature is _not_ present on the client but is on the
      MDS, the client may misdirect requests.  This will result in a forward
      and degrade performance.  It may also result in inaccurate NFS filehandle
      generation, which will prevent fh resolution when the inode is not present
      in the client cache and the parent directories have been fragmented.
      Signed-off-by: NSage Weil <sage@newdream.net>
      14303d20
  24. 29 10月, 2010 1 次提交
  25. 21 10月, 2010 1 次提交
    • Y
      ceph: factor out libceph from Ceph file system · 3d14c5d2
      Yehuda Sadeh 提交于
      This factors out protocol and low-level storage parts of ceph into a
      separate libceph module living in net/ceph and include/linux/ceph.  This
      is mostly a matter of moving files around.  However, a few key pieces
      of the interface change as well:
      
       - ceph_client becomes ceph_fs_client and ceph_client, where the latter
         captures the mon and osd clients, and the fs_client gets the mds client
         and file system specific pieces.
       - Mount option parsing and debugfs setup is correspondingly broken into
         two pieces.
       - The mon client gets a generic handler callback for otherwise unknown
         messages (mds map, in this case).
       - The basic supported/required feature bits can be expanded (and are by
         ceph_fs_client).
      
      No functional change, aside from some subtle error handling cases that got
      cleaned up in the refactoring process.
      Signed-off-by: NSage Weil <sage@newdream.net>
      3d14c5d2
  26. 04 8月, 2010 1 次提交
  27. 02 8月, 2010 5 次提交
  28. 11 6月, 2010 1 次提交